request_uriblocklist and allowlist implemented to enhance security
request_uri Authorization Request parameter enables OpenID Connect requests to be passed by reference, rather than by value (see the spec). However, when implemented as written in the spec, the
request_uri could be used to launch an SSRF (Server-Side Request Forgery) attack against the IDP. To mitigate this risk, we’ve implemented both a
request_uri blocklist and a
request_uri allowlist that are configurable in the Gluu Server OpenID Provider JSON configuration.